From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur@dfn-cert.de>
Reply-To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Subject: Re: TLS cant connect ldap+freeradius+novell
Date: Thu, 19 Jul 2007 17:51:24 +0200
Hmmmmm.
Martin G wrote:
> Sorry, when i tried to rehash my certificate, id changed its path, but
now
> its back and i got a new output from my ldapsearch-command:
>
> ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou
> =adm,ou=malmo,o=wifi "cn=lotta"
> ldap_initialize( ldap://10.10.0.11 )
> ldap_start_tls: Connect error (-11)
> additional info: TLS: hostname does not match CN in peer
certificate
What is the CN in the SubjectDN of the ldap servers certificate? Is it a
FQDN?
If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your DNS
server can't find the FQDN. Try to call ldapsearch with -h FQDN option.
Is above warning going away?
> filter: cn=lotta
> requesting: All userApplication attributes
> # extended LDIF
> #
> # LDAPv3
> # base <ou=adm,ou=malmo,o=wifi> with scope subtree
> # filter: cn=lotta
> # requesting: ALL
> #
>
> # lotta, ADM, MALMO, WIFI
> dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI
> zenzfdVersion::
Something is at least working. It's not SSL secured though.
...
>
> Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed the
> TLSCertificateFile and TLSCertificateKeyFile from the
/etc/ldap/sldap.conf
> as i did forget before.
slapd.conf is the config file of the openldap *server*. Messing with this
file should not change anything. Or was that a typo?
> Do i need to convert the certificate to .pem and how if the c_rehash
dont
> work?
If tls_cacertdir is not set, then don't use c_rehash.
Set tls_cacertfile to a single ASCII file containing all PEM formatted CA
certificates of the CA certificate chain that is needed to validate your
ldap servers certificate. Concatenate these PEM formatted CA certs into
this
single ASCII file.
And I forgot, set ldap_debug to -1 in the radius config file.
Don't send your ldap servers password in log files ;-)
...
> Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP
> Tue Jul 10 12:35:00 2007 : Debug: ldap: server = "10.10.0.11"
> Tue Jul 10 12:35:00 2007 : Debug: ldap: port = 389
> Tue Jul 10 12:35:00 2007 : Debug: ldap: net_timeout = 1
> Tue Jul 10 12:35:00 2007 : Debug: ldap: timeout = 4
> Tue Jul 10 12:35:00 2007 : Debug: ldap: timelimit = 3
> Tue Jul 10 12:35:00 2007 : Debug: ldap: identity = "cn=admin,o=wifi"
> Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_mode = no
> Tue Jul 10 12:35:00 2007 : Debug: ldap: start_tls = yes
> Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertfile =
> "/etc/freeradius/certs
> /WIFITREE_CA.b64"
> Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertdir = "(null)"
> Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_certfile = "(null)"
> Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_keyfile = "(null)"
> Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_randfile = "(null)"
> Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_require_cert = "allow"
> Tue Jul 10 12:35:00 2007 : Debug: ldap: password = "novell"
> Tue Jul 10 12:35:00 2007 : Debug: ldap: basedn =
"ou=adm,ou=malmo,o=wifi"
...
> Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_debug = 0
> Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_connections_number = 5
> Tue Jul 10 12:35:00 2007 : Debug: ldap: compare_check_items = no
--
Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737